as far i know there is no tool like this. for this work to be done. you need to create separate object with group, network, services. the only solution is a manual. where you have to extra caution of making issue.
... View more

please instead of pasting the command please type it in. you make sure you have a correct object name this could be reason it not taking the command. to check if you have the correct object name. run this command show run object network in-line | i OBJ-ANYCONNECT-SUBNET if still problem. share your anyconnect configuration.
... View more

An FlexConnect AP is authenticated via 3650/3850 SW 16.x against ISE 2.3 with multi-host mode and there is the default ACL on the interface allowing only DHCP/DNS traffic before succesfull AuthC/AuhtZ. Is it possible to allow any communication on the interface coming from the wireless client by the dACL permit ip any any once the FlexAP is authorized? I never work on Flexpconnect AP but did work on LOCAL MODE AP. so here is my input. No. I think you cant do this. let understand the logic the AP and the Wireless controller create CAPWAP tunnel. which is secure communication. so you can not apply Dacl on this for client wireless users. unless you create the acl on wireless controller and Dacl on ISE to push the COA. Is the dACL applied to the entire session for all MAC addresses or just for the MAC of the FlexConnect AP and the rest traffic is still blocked by the default ACL? this would be apply on to Flexconnect AP only. even though you have authentication mode host-mode mult-auth enable. If the dACL does not work in this scenario, how can I permit any traffic from the connected wireless Client if the FlexAP is used in low impact mode and the interface is configured in multi-host mode? create a acl on wireless controller and so the DACL on ISE than married these two. you can achieve what you asking for.
... View more